Cloudfare service used by 5.5 million sites may have leaked passwords and auth.tokens

[wolfie138]

this sort of thing is getting more and mroe common it seems. i think a class action suit or two would start making these type of companies get their shhhtuff together.

 

[joeyjojo]

Would be nice if one of these password managers could automate the task of changing passwords on all your accounts. Inevitably something like this will happen again would be nice to just press a button and every site gets a new random password.

Agreed, but since every site has a different UI it's not really possible.

 

[hulkster1]

I have no idea where you get your information from but that is totally false. It effects every website that uses Cloudflares features of email obfuscation, server side excludes and HTTPS rewrites. You should read the actual blog so you know what you are talking about. Basically if you login to any website that uses Cloudflare you should change your password. There are over 77 million websites using Cloudflare.

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

The blog mentions a similar number which I suspect is where those numbers came from.

With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines.

However that is just what they found via the search engines they contacted of course.

I'm not convinced they're playing it down. They're typically pretty transparent with this stuff and when you consider the following:

The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).

I am not too worried about it, but that's just me. I 2FA up on everything anyway, and all my passwords are unique thanks to Lastpass. Always a nice cushion when I hear about this sort of stuff crops up!!

It also explains why one of my websites broke the other day becuase it also affected the HTTP to HTTPS rewrites function which was silently disabled, causing Google fonts to be called over HTTP, which failed due to me using HSTS, and the theme on that site had hard coded http:// links instead of just // ....doh!

 

[Destination]

Thanks, only changed one (transferwise).

Good a time as any to get a password manager, people. KeePass, LastPass, 1Password, etc.. See the thread over in Windows Software (IIRC).

1password is one of the compromised sites

 

[Glaucus]

is there a list of sites affected?

 

[shine]

1password is one of the compromised sites

1Password confirmed that all data is secure.

 

[Destination]

1Password confirmed that all data is secure.

If exploitable from last September, how do 1password actually know?

 

[Glaucus]

If exploitable from last September, how do 1password actually know?

why not read it. it tells you.

 

[Destination]

why not read it. it tells you.

I did, it tells me they think they are secure, but not that their data was exposed, or that their data hasn't been mined.
Just that their redundant procedures have hopefully kept everyone safe.

Data isn't secure, it may well be everywhere, it just happens to be encrypted (twice) and useless. There is a different, pedantic, but a difference.

 

[Cromulent]

is there a list of sites affected?

Potentially any of the 77 million domain names in the linked zip file on this page. Be prepared to do a lot of searching of the document to find all the sites that you potentially use. Just be safe change your passwords on any Cloudflare site.

The rest of the tech world has acknowledged that this was the biggest single security issue to crop up in a long time.

https://github.com/pirate/sites-using-cloudflare